[arch-projects] [RFC 00/23] Encrypted volume work

Matthew Monaco dgbaley27 at 0x01b.net
Fri May 18 12:21:54 EDT 2012

From: Matthew Monaco <matthew.monaco at 0x01b.net>

I worked with Dave and Tom this past weekend to clean up and enhance
encrypted volume handling. There are quite a few "patches" here, and
more to come against initscripts. All of this fixes a handful of bugs,
adds new features, does some refactoring.

In summary, I wrote a new package called 'cryptmount.' The intention is
for it to depend on cryptsetup and to provide the encrypt hooks for
mkinitcpio. Additionally initscripts will depend on cryptmount
(optdepends will work too).

The cryptmount code is here [1] and the initscripts changes are here

There are a few goals:

1) Use the same code for the mkinitcpio encrypt hook and initscripts.

2) Allow for interoperability with systemd's crypttab format.
   This is accomplished without any forced changes on the user (with the
   exception of plaintext passwords in crypttab).

3) Allow the random seed to be restored before doing things like setting
   up a swap volume which uses /dev/urandom as a password.

4) If possible, allow for encrypted /usr from the initrd. This depends
   on Dave's working branch of mkinitcpio which provides late hooks (and
   cleanup hooks).

*5*) Do not drop support for current configurations. This is important.
   The only thing that is dropped is storing a plain text password in
   crypttab. Whether your options line in crypttab is literally for
   cryptsetup (--size=100 --cipher=...) or a comma separated list
   (size=100,cipher=...), your configuration will be supported.

   That said, if you see any holes in this statement, please let me know
   and I will address it.

This addresses the following bugs, there may be more, and you may
question that it does for some of these:

FS#17131 - Restore random seed before using decryption

FS#24700 - Allow UUID for cryptdevice
           In addition we support UUID,PARTUUID,LABEL for both the
           encrypted device AND the passphrase if it is on an external

FS#27137 - I think a dup of the above.

FS#23182 - Multiple device support for the initrd
           The encrypt hook included supports root, /usr, and an
           arbitrary number of encrypted mappings.

FS#15738 - More or less similar to above

FS#21936 - Don't immediately revert to interactive pw if key device is
           not available. 
           All devices are resolved and waited on IFF udevd is running.
           This goes for the initrd and rc.sysinit.

FS#21198 - Mount key devices if needed.
           This is done whenever the key is a file on another device and
           that device is not already mounted.

FS#21513 - Provide a man page for crypttab.
           I wrote one and for cryptmount.

I have been testing this for the past week, but I'm sure there are some
bugs. Please report any problems you see (or experience if you are able
to test). Also, if you see an opportunity for improvements in
efficiency, cleanup, or additional functionality, let me know.

[1] https://github.com/mmonaco/cryptmount/tree/master
[2] https://github.com/mmonaco/initscripts/tree/crypto      


More information about the arch-projects mailing list